I was wondering if anyone with server experience might be able to advise me here. In my web server log, I'm occasionally seeing GET entries that appear to be accessing URLs from external web servers. Example:
xxx.xx.xxx.xxx - - [22/Dec/2007:04:26:42 +0000] "GET http://www.intel.com/ HTTP/1.1" 200 1316
What concerns me is that it's returning a 200 OK status code, meaning the server sent back a valid page of some sort. If I try sending the same request manually to my server:
127.0.0.1 - - [02/Jan/2008:21:05:15 +0000] "GET http://www.intel.com/ HTTP/1.1" 400 383
As you can see, this gave a 400 Bad Request response.
Why would clients be trying to access external URLs through my server, and why are they returning 200 OK status codes? Is it some kind of HTTP tunneling exploit so they can spoof IPs? Is it perhaps an exploit designed to trick my server into revealing information that's not in the public web directory?
xxx.xx.xxx.xxx - - [22/Dec/2007:04:26:42 +0000] "GET http://www.intel.com/ HTTP/1.1" 200 1316
What concerns me is that it's returning a 200 OK status code, meaning the server sent back a valid page of some sort. If I try sending the same request manually to my server:
127.0.0.1 - - [02/Jan/2008:21:05:15 +0000] "GET http://www.intel.com/ HTTP/1.1" 400 383
As you can see, this gave a 400 Bad Request response.
Why would clients be trying to access external URLs through my server, and why are they returning 200 OK status codes? Is it some kind of HTTP tunneling exploit so they can spoof IPs? Is it perhaps an exploit designed to trick my server into revealing information that's not in the public web directory?
Comment